Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
no404
noamr at beyondsecurity
May 5, 2002, 1:40 PM
Post #1 of 14 (5334 views)
Permalink
Hi,

(This is long, but please bare with me)

I am sorry to bring this up, but it seems that there are too many "trickle
though" cases where Nessus will cause false positives when trying to access
pages that are not answering a "404 File not found" response.

As far as I can see:
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/n
o404.nasl
And
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-libraries/libness
us/www_funcs.c

Won't handle cases such as:
302 Found (As used by some firewall, IDS, etc, to redirect to a "caught you
page"), 400 Bad Request (Caused by incomplete requests, for example certain
access to file parser cause it, file parser that capture all incoming
request and handle them, i.e. even accessing /foobar will cause this error),
401 Unauthorized (Username required), 403 Forbidden (IP limited hosts), 500
Internal Server Error (Very similar to the one for bad request, usually due
to an internal server misconfiguration, but causes false positives), 503
Service Unavailable (This is very silly, I know, but still obviously Nessus
falls over it).

I would conclude that one of the two should be done:
www_funcs.c should be modified to unly rely on no404's findings, not
implement its own reparsing such as in the case of "301 Moved Permanently",
but rather only do that if:
1) no404 failed to find any recognizable pattern.
2) it is obvious that the reply was a valid one (this is a tricky part, but
making the (1) part as best as possible will reduce this).

no404.nasl currently doesn't detect such problems well because:
1) The case sensitive fails sometimes, I can't figure out why, and Renaud
didn't to have yet come to fix it.
2) It only checks for:
1) title repeat
2) not found string.
3) 404 string.

What should be added to no404.nasl? (as far as I can see)
1) File requested reply (something of the sort of "Location:
/error.htm?file=requested_filename_by_nessus")
2) 401 Authorization Failed on everything (even on access of "/") or any
other HTTP response for multiple requests, even valid ones.. such as "/".
3) Any others?

Why I am contacting you?
Because I can 100% and still miss a lot of things, different servers, might
make it false positive, or maybe you even can think of a different better
test?

What will happen if nothing is done?
The amount of false positives will grow each time new CGI tests are added,
scans for:
1) Multiple hosts will show more false positives than usual
2) Webmin, Apache/IIS (IP Secured and Username Secure), etc will show all
possible false positives for server based scans.
3) Value given by scanning for selective CGI names will drop, plugins will
need to be custom tailored for each exploit, i.e. you will not be able to
trust is_cgi_installed() turn return a valid answer for a known CGI filename
that contains a vulnerability, but will rather need to exploit the remote
CGI (breaking the idea of Safe Checks).

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com
Re: no404 [ In reply to ]
scheidell at secnap
May 5, 2002, 12:50 PM
Post #2 of 14 (5260 views)
Permalink
> access to file parser cause it, file parser that capture all incoming
> request and handle them, i.e. even accessing /foobar will cause this error),
> 401 Unauthorized (Username required), 403 Forbidden (IP limited hosts), 500
> Internal Server Error (Very similar to the one for bad request, usually due

500 errors are a TRUE positive for some of the IIS crap.

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net/
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 12:59 PM
Post #3 of 14 (5256 views)
Permalink
On Sun, May 05, 2002 at 10:53:29PM +0200, Noam Rathaus wrote:
> Hi,
>
> This is a single case, I saw others that weren't, i.e. they were
> misconfigured host that would return 500 for EVERY record requested. This
> should be handled quite easily in my opinion.

Then the server does not work at all and no false positive is returned.



-- Renaud
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 12:59 PM
Post #4 of 14 (5261 views)
Permalink
On Sun, May 05, 2002 at 10:40:39PM +0200, Noam Rathaus wrote:
> Won't handle cases such as:
> 302 Found
> 400 Bad Request
> 401 Unauthorized
> 403 Forbidden
> 500 Internal Server Error
> 503 Service Unavailable

Errr, it seems you're misinterpreting the code :

- no404.nasl :
- We determine if the remote service replies with a code 200
(or 301 [redirect]) when a bad request is made ;

- www_funcs.nasl :
- Makes a request and expects a 200 error code, or works
around cases where a code 200 is replied when the file
does not exist


So I don't understand why you see that as a problem. This won't cause
false positives.



-- Renaud
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 1:19 PM
Post #5 of 14 (5261 views)
Permalink
On Sun, May 05, 2002 at 11:14:18PM +0200, Noam Rathaus wrote:
> And also what about 302? Moved Permanently?

302 is being handled by www_funcs.c
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 1:21 PM
Post #6 of 14 (5263 views)
Permalink
On Sun, May 05, 2002 at 11:10:09PM +0200, Noam Rathaus wrote:
> If this is valid, how come for example scanning a Webmin host, or one that
> returns a 301 HTTP answer (Location:...) with not content, i.e. after
> http_recv_headers() nothing will be left to receive, get a lot of false
> positives? (Webmin responds with a 200 all the time).

As I said : Only code 200 (and 302) are being looked for. So yes,
servers which reply with a code 200 may produce false positive if the
workaround of no404.nasl is not effective (see the mailing list archives
about this for thousands of discussions about this).

I'd be surprised to see a host which __always__ reply with a code 301
produce many false positives.

-- Renaud
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 1:22 PM
Post #7 of 14 (5261 views)
Permalink
On Sun, May 05, 2002 at 10:53:29PM +0200, Noam Rathaus wrote:
> Hi,
>
> This is a single case, I saw others that weren't, i.e. they were
> misconfigured host that would return 500 for EVERY record requested. This
> should be handled quite easily in my opinion.

Then they don't reply with code 200 and no false positive is produced.

End of story.
Re: no404 [ In reply to ]
scheidell at secnap
May 5, 2002, 1:24 PM
Post #8 of 14 (5261 views)
Permalink
> returns a 301 HTTP answer (Location:...) with not content, i.e. after
> http_recv_headers() nothing will be left to receive, get a lot of false
> positives? (Webmin responds with a 200 all the time).


webmin broke.
lart www.webmin.com, or submit patches.

lots of 'tiny' apps broke,
I sometimes use 'fetch' and 'wget' to double check, and, yep, so far, on
all nessus 'false positives', fetch and wget had problems also (they
didn't understand the error pages eithe)
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@secnap.net
http://www.secnap.net/
Re: no404 [ In reply to ]
deraison at nessus
May 5, 2002, 1:28 PM
Post #9 of 14 (5260 views)
Permalink
On Sun, May 05, 2002 at 11:26:05PM +0200, Noam Rathaus wrote:
> Hi,
>
> I can't find
> http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-libraries/libnessus/www_func
> s.c any reference to the number 302, therefore I can't see how it would
> handle it.

Sorry, I meant 301 - there's an issue here, you're right.


-- Renaud
Re: no404 [ In reply to ]
noamr at beyondsecurity
May 5, 2002, 1:53 PM
Post #10 of 14 (5256 views)
Permalink
Hi,

This is a single case, I saw others that weren't, i.e. they were
misconfigured host that would return 500 for EVERY record requested. This
should be handled quite easily in my opinion.

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "Michael Scheidell" <scheidell@secnap.net>
To: "Noam Rathaus" <noamr@beyondsecurity.com>
Cc: "Nessus Mailing List" <nessus@list.nessus.org>; "Nessus Plugins Writers"
<plugins-writers@list.nessus.org>; "Renaud Deraison"
<deraison@cvs.nessus.org>
Sent: Sunday, May 05, 2002 21:50
Subject: Re: no404


> > access to file parser cause it, file parser that capture all incoming
> > request and handle them, i.e. even accessing /foobar will cause this
error),
> > 401 Unauthorized (Username required), 403 Forbidden (IP limited hosts),
500
> > Internal Server Error (Very similar to the one for bad request, usually
due
>
> 500 errors are a TRUE positive for some of the IIS crap.
>
> --
> Michael Scheidell
> SECNAP Network Security, LLC
> (561) 368-9561 scheidell@secnap.net
> http://www.secnap.net/
>
>
Re: no404 [ In reply to ]
noamr at beyondsecurity
May 5, 2002, 2:10 PM
Post #11 of 14 (5260 views)
Permalink
Hi,

If this is valid, how come for example scanning a Webmin host, or one that
returns a 301 HTTP answer (Location:...) with not content, i.e. after
http_recv_headers() nothing will be left to receive, get a lot of false
positives? (Webmin responds with a 200 all the time).

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "Nessus Mailing List" <nessus@list.nessus.org>; "Nessus Plugins Writers"
<plugins-writers@list.nessus.org>
Sent: Sunday, May 05, 2002 21:59
Subject: Re: no404


> On Sun, May 05, 2002 at 10:40:39PM +0200, Noam Rathaus wrote:
> > Won't handle cases such as:
> > 302 Found
> > 400 Bad Request
> > 401 Unauthorized
> > 403 Forbidden
> > 500 Internal Server Error
> > 503 Service Unavailable
>
> Errr, it seems you're misinterpreting the code :
>
> - no404.nasl :
> - We determine if the remote service replies with a code 200
> (or 301 [redirect]) when a bad request is made ;
>
> - www_funcs.nasl :
> - Makes a request and expects a 200 error code, or works
> around cases where a code 200 is replied when the file
> does not exist
>
>
> So I don't understand why you see that as a problem. This won't cause
> false positives.
>
>
>
> -- Renaud
>
>
>
Re: no404 [ In reply to ]
noamr at beyondsecurity
May 5, 2002, 2:14 PM
Post #12 of 14 (5259 views)
Permalink
And also what about 302? Moved Permanently?

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "Noam Rathaus" <noamr@beyondsecurity.com>
To: "Renaud Deraison" <deraison@nessus.org>; "Nessus Mailing List"
<nessus@list.nessus.org>; "Nessus Plugins Writers"
<plugins-writers@list.nessus.org>
Sent: Sunday, May 05, 2002 23:10
Subject: Re: no404


> Hi,
>
> If this is valid, how come for example scanning a Webmin host, or one that
> returns a 301 HTTP answer (Location:...) with not content, i.e. after
> http_recv_headers() nothing will be left to receive, get a lot of false
> positives? (Webmin responds with a 200 all the time).
>
> Thanks
> Noam Rathaus
> http://www.BeyondSecurity.com
> http://www.SecuriTeam.com
>
> ----- Original Message -----
> From: "Renaud Deraison" <deraison@nessus.org>
> To: "Nessus Mailing List" <nessus@list.nessus.org>; "Nessus Plugins
Writers"
> <plugins-writers@list.nessus.org>
> Sent: Sunday, May 05, 2002 21:59
> Subject: Re: no404
>
>
> > On Sun, May 05, 2002 at 10:40:39PM +0200, Noam Rathaus wrote:
> > > Won't handle cases such as:
> > > 302 Found
> > > 400 Bad Request
> > > 401 Unauthorized
> > > 403 Forbidden
> > > 500 Internal Server Error
> > > 503 Service Unavailable
> >
> > Errr, it seems you're misinterpreting the code :
> >
> > - no404.nasl :
> > - We determine if the remote service replies with a code 200
> > (or 301 [redirect]) when a bad request is made ;
> >
> > - www_funcs.nasl :
> > - Makes a request and expects a 200 error code, or works
> > around cases where a code 200 is replied when the file
> > does not exist
> >
> >
> > So I don't understand why you see that as a problem. This won't cause
> > false positives.
> >
> >
> >
> > -- Renaud
> >
> >
> >
>
>
Re: no404 [ In reply to ]
noamr at beyondsecurity
May 5, 2002, 2:26 PM
Post #13 of 14 (5262 views)
Permalink
Hi,

I can't find
http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-libraries/libnessus/www_func
s.c any reference to the number 302, therefore I can't see how it would
handle it.

Thanks
Noam Rathaus
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "Nessus Mailing List" <nessus@list.nessus.org>; "Nessus Plugins Writers"
<plugins-writers@list.nessus.org>
Sent: Sunday, May 05, 2002 22:19
Subject: Re: no404


> On Sun, May 05, 2002 at 11:14:18PM +0200, Noam Rathaus wrote:
> > And also what about 302? Moved Permanently?
>
> 302 is being handled by www_funcs.c
>
>
Re: no404 [ In reply to ]
hdm at digitaloffense
May 7, 2002, 5:37 AM
Post #14 of 14 (5261 views)
Permalink
On Sunday 05 May 2002 03:40 pm, Noam Rathaus wrote:
> Hi,
>
> (This is long, but please bare with me)
>
> I am sorry to bring this up, but it seems that there are too many "trickle
> though" cases where Nessus will cause false positives when trying to access
> pages that are not answering a "404 File not found" response.

Had a similar issue, here is a modified version (not complete) which seems to
work around most of these problems:

#
# The script code starts here
#

function check(url, port)
{
req = http_get(item:url, port:port);

soc = open_sock_tcp(port:port);
if (!soc) { return (0); }

send(socket:soc, data:req);
result = recv(socket:soc, length:8192, timeout:20);
close(soc);
return(result);
}

function find_err_msg(buffer)
{
cmsg = 0;
for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
{
cpat = errmsg[cmsg];
if (ereg(pattern:cpat, string:buffer, icase:TRUE))
{
return(cpat);
}
}

return (0);
}

# build list of test urls

badurl[0] = string("/NESS_no404.html");
badurl[1] = string("/NESS_no404.cgi");
badurl[2] = string("/NESS_no404.sh");
badurl[3] = string("/NESS_no404.pl");
badurl[4] = string("/cgi-bin/NESS_no404.html");
badurl[5] = string("/cgi-bin/NESS_no404.cgi");
badurl[6] = string("/cgi-bin/NESS_no404.sh");
badurl[7] = string("/cgi-bin/NESS_no404.pl");

errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "firewall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";



debug = 1;

port = get_kb_item("Services/www");
if(!port)port = 80;

for (c = 0; badurl[c]; c = c + 1)
{
url = badurl[c];

if(debug) display("Checking URL ", url, "\n");

ret = check(url,port);
if (ret != 0)
{

raw_http_line = egrep(pattern:"^HTTP/", string:ret);

# check for a 200 OK
if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
{
# look for common "not found": indications
not_found = find_err_msg(buffer:ret);
if (not_found != 0)
{
found = string("www/no404/", port);
set_kb_item(name:found, value:not_found);
security_note(port:port, data:not_found);
if(debug) display("200: Using string: ", not_found, "\n");
exit(0);
}
}

# check for a 302 Moved
if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
{
# put the first line of the response as no404 msg ;)
found = string("www/no404/", port);
set_kb_item(name:found, value:raw_http_line);
security_note(port:port, data:raw_http_line);
if(debug) display("302: Using ", raw_http_line, "\n");
exit(0);
}

} else {
if(debug) display("An error occurred when trying to request: ", url,
"\n");
}
}

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal